Fix CVE-2021-3181:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3181

Patch copied from upstream source repository:

https://gitlab.com/muttmua/mutt/-/commit/c059e20ea4c7cb3ee9ffd3500ffe313ae84b2545

From c059e20ea4c7cb3ee9ffd3500ffe313ae84b2545 Mon Sep 17 00:00:00 2001
From: Kevin McCarthy <kevin@8t8.us>
Date: Sun, 17 Jan 2021 10:40:37 -0800
Subject: [PATCH] Fix memory leak parsing group address.

When there was a group address terminator with no previous addresses,
an address would be allocated but not attached to the address list.

Change this to only allocate when last exists.

It would be more correct to not allocate at all unless we are inside a
group list, but I will address that in a separate commit to master.
---
 rfc822.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/rfc822.c b/rfc822.c
index 7ff4eaa3..ced619f2 100644
--- a/rfc822.c
+++ b/rfc822.c
@@ -587,11 +587,10 @@ ADDRESS *rfc822_parse_adrlist (ADDRESS *top, const char *s)
 #endif
 
       /* add group terminator */
-      cur = rfc822_new_address ();
       if (last)
       {
-	last->next = cur;
-	last = cur;
+	last->next = rfc822_new_address ();
+	last = last->next;
       }
 
       phraselen = 0;
-- 
GitLab

